Mobile Threat Monday: Analyzing Android Apps with Santoku Linux

Mobile security professionals analyze mobile apps to identify malware and audit apps for any privacy or security issues. We decided to try out some of the tools to learn what it takes to perform mobile analysis and forensics.

Mobile security professionals analyze mobile apps to identify malware and audit apps for any privacy or security issues. We decided to try out some of the tools to learn what it takes to perform mobile analysis and forensics.

When Security Watch started Mobile Threat Monday, one of our goals was to start a broader conversation on mobile application security. Threats aren't just malicious apps or scams targeting mobile devices. Poorly coded apps where data was not being stored securely or information was being transmitted in a way that anyone can eavesdrop are problematic. Some apps share a large amount of user data with third-party advertiser networks. When an app does things in the background without informing the user, it becomes a security or privacy issue.

Sponsored by digital forensics and security firm viaForensics, Santoku Linux comes chock-full of useful scripts and utilities to perform mobile forensics, decompile apps, and detect common issues in mobile applications, to name just a few. The distribution already comes with some of the tools that I would use for penetration testing, such as Metasploit, nmap, and SQLMap. Santoku also has reverse engineering tools and wireless analyzers, as well.

What did we learn? Even with a wealth of tools at our disposal, the process is time-consuming and difficult. There is a reason why businesses and end-users rely on the companies running the app marketplaces (we are looking at you, Apple, Google, and Amazon) and the actual developers to ensure the apps are safe and secure to use.

Preparing the TestbedI downloaded the full .iso image of Santoku Linux from its website and installed it onto a spare testing laptop. I also needed a phone to test with.

With Santoku, I had a choice of using the Android SDK Mananger to run an emulator or hook up a physical device via USB. I easily created an Android Virtual Device (AVD) running Android 4.2.2 (Jelly Bean) and started the emulator. It was quick, but emulators require a lot of memory, so the machine I was using to run Santoku slowed to a crawl.

Using the emulator would be a great idea for future attempts because it means I can test how apps behave on different hardware without having to track down each type of phone. For now, I decided to connect a Nexus 4.

First, I had to get root access on the Nexus 4 phone. The process of unlocking the phone and getting root varies from hardware to hardware. Luckily for me, there is a nifty tool called Nexus Root Toolkit (v1.7.9) from Android developer "WugFresh" that makes the entire process dead simple for Nexus devices. After selecting the phone model (LG-E960) and the operating system version (KitKat, 4.4.2), I hit a button to unlock the device, and then another button to gain root.

I was done, and ready to begin my foray into mobile forensics.

Collecting Data from the DeviceI decided to start small and see what information I could collect using AFLogical Open Source Edition, a collection of tools that collect Android phone data. I installed the app onto the Nexus 4 using the ADB utility and then selected the options to collect MMS, SMS, Contacts, and Call Logs. The utility extracted all the data and copied the .csv files onto my computer within seconds. I could see the contacts I had saved in the addressbook and view all the calls and SMS messages made from the device.

That was the easiest part. Mobile analysis and forensics got progressively harder after that.

I like to use Wireshark to scrutinize network activity. ChaosReader is a similar tool where I could capture how apps are transmitting data. I logged into Dropbox's Android app, downloaded three different files, and opened a PDF file from my account. ChaosReader made it easier to make sense of all the packet data.

With Androguard, I was able to reverse engineer an Android app. Reverse engineering the app is only half the battle. You still need to find that problematic code.

Devices running Android 3.0 (Honeycomb) and newer use standard Linux dm-crypt encryption to unlock/lock the device and to encrypt/decrypt data stored on the device. I used the Android Brute Force Encryption program on Santoku Linux to crack the pin used to lock the Nexus 4. I had to perform a few steps to pull the required header and footer files, but once done, the cracking program was able to figure out the passcode in matter of minutes.

What's Next?After seeing how processor- and memory-intensive some of the tools can be, I am going to install Santoku onto a virtual machine with a lot of memory allocated. The next step is really to dig into the various tools and learn how to use them.

Even with helpful scripts and automation, you still need to know what you are looking for to identify issues. I spent more time trying to understand the output than I did collecting my forensics analysis. I was always in awe of what mobile security researchers did, and now have a healthy respect for the amount of work our partners—Appthority, BitDefender, and F-Secure—put in each week for Mobile Threat Monday.

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.